Skip to content

deps: modernize all dependencies (python, terraform, helm, images, CI)#131

Open
oferk0 wants to merge 10 commits into
CloudGeometry:mainfrom
oferk0:deps/modernization
Open

deps: modernize all dependencies (python, terraform, helm, images, CI)#131
oferk0 wants to merge 10 commits into
CloudGeometry:mainfrom
oferk0:deps/modernization

Conversation

@oferk0

@oferk0 oferk0 commented Jun 23, 2026

Copy link
Copy Markdown

Integration branch bundling the dependency modernization across all 5 layers. Each layer was reviewed/merged as its own PR on the fork (oferk0/cg-devx-core #1–5).

  • Python CLI — Poetry deps → latest (kubernetes 27→36, hvac 1→2, PyInstaller 5→6, …); fixed azure-storage import, pkg_resources removal, anyio floor. Verified: lock+install, frozen binary.
  • Terraform — azurerm 3→4, google 5→6, github 5→6, gitlab 18→19, EKS module 19→20 (Access Entries), providers pinned; const.py tool versions. Held aws 5.x / google 6.x / IAM v5 to avoid unverifiable rewrites. Verified: init -upgrade+validate; ⚠️ no live plan.
  • Helm/ArgoCD — 28 charts → latest + ArgoCD v2.14.12→v3.4.4, CRD lockstep. Verified: 29/29 helm template; ⚠️ review value drops via ArgoCD diff.
  • Images — pinned 3 :latest tags.
  • CI — checkout v7 / setup-python v6 / dependabot.

Layers touch disjoint files; k8s spine consistent (cluster 1.32 → kubectl 1.33 → client 36).

Ofer Kozokaro and others added 10 commits June 23, 2026 17:24
Bump all runtime and dev dependencies in tools/pyproject.toml to latest
stable releases and regenerate poetry.lock. Notable major bumps:
kubernetes 27->36, hvac 1->2, PyInstaller 5->6, azure-mgmt-* (storage/
compute/containerservice), configparser 6->7, google-cloud-storage 2->3,
boto3/awscli to 1.43/1.45, flake8 6->7. Raise Python ceiling to <3.14 and
migrate dev-dependencies to the [tool.poetry.group.dev] table.

Fix breaking changes surfaced by the upgrade:
- azure-mgmt-storage 25 removed the pinned v2021_04_01 API module; import
  SkuName/Kind from azure.mgmt.storage.models instead.
- setuptools 82 removed pkg_resources; resolve the bundled kubeconfig.yaml
  via importlib.resources (verified in the PyInstaller frozen binary).
- pin anyio >=4.9 so httpx-ws (via kr8s) finds AsyncContextManagerMixin.

Verified: poetry lock/install, cgdevxcli + all subcommands import, flake8
runs, PyInstaller build produces a working frozen binary that resolves the
bundled resource.
Pin previously-unpinned providers and bump everything to latest stable
within the constraints validated below. Each root/module was verified with
terraform init -upgrade + terraform validate (1.8.2 locally).

Providers:
- aws: pin to >= 5.0, < 6.0 (latest 5.100). Held at 5.x because EKS module
  v20 requires aws < 6.0; aws 6.x needs EKS v21 (declined as too risky).
- azurerm ~>3.86 -> ~> 4.0 (4.78). Fixed v4 breaking changes: subnet
  private_endpoint_network_policies_enabled (bool) -> private_endpoint_
  network_policies ("Disabled"); AKS enable_auto_scaling/enable_host_
  encryption/enable_node_public_ip -> *_enabled renames; removed the now-
  implicit  arg from azure_active_directory_role_based_access_control;
  key_vault enable_rbac_authorization -> rbac_authorization_enabled.
- google ~>5.45 -> ~> 6.0 (6.50). Held at 6.x because the pinned GKE module
  (kubernetes-engine 34.0.0) caps google < 7.0; google 7 needs the 34->44
  module rewrite (mirrors the EKS-v21 decision).
- harbor / sonarqube / restapi / vault: were unpinned; pinned to ~> 3.0 /
  ~> 0.16 / ~> 3.0 / ~> 5.0 (latest majors).
- kubernetes >= 2.10 -> >= 2.20, < 4.0 (resolves to 3.2).
- random ~>3.5.1 -> ~> 3.9.
- github provider 5.42 -> 6.0, gitlab provider 18.2 -> 19.1 (via const.py).
  Fixed gitlab v19 breaking changes in the repository module: gitlab_project
  issues_enabled -> issues_access_level; gitlab_branch_protection
  allowed_to_push nested block -> list attribute.

Modules:
- EKS module ~>19.16 -> ~> 20.37. Migrated off the removed create/manage_aws_
  auth_configmap to authentication_mode = API_AND_CONFIG_MAP +
  enable_cluster_creator_admin_permissions (Access Entries). IAM IRSA module
  held at ~>5.58 (v6 requires aws >= 6.28, incompatible with EKS v20 + aws 5).
- VPC module ~> 5.0 -> ~> 5.21.

CLI const.py: TERRAFORM_VERSION 1.6.4 -> 1.15.6, KUBECTL_VERSION 1.33.1 ->
1.33.13 (cluster default is 1.32; kubectl stays within +1 skew).

NOTE: validate-only. The AWS/Azure/GCP modules cannot be terraform-plan'd
without live cloud credentials + state; the EKS v20 Access Entry migration
in particular needs a reviewed plan before apply.
Bump every core-services Helm chart targetRevision (and the matching
cg-devx.metadata chart-version/version labels) to latest stable, and bump
the bundled ArgoCD install from v2.14.12 to v3.4.4. Each chart was verified
by rendering it with helm template at the new version using the Application's
own inline values (29/29 render clean); the ArgoCD kustomize base was
verified with kubectl kustomize (71 resources, image v3.4.4).

Notable bumps: kube-prometheus-stack 72.6.2 -> 87.1.0 and prometheus-
operator-crds 20.0.0 -> 30.0.0 (kept in lockstep, both app v0.92.0);
external-secrets 0.16.0 -> 2.6.0; vault 0.26.1 -> 0.33.0; velero 7.2.1 ->
12.0.3; loki 6.30.0 -> 7.0.0; harbor 1.16.3 -> 1.19.1; cert-manager 1.17.2
-> 1.20.2; ingress-nginx 4.12.2 -> 4.15.1; argo-workflows 0.45.15 -> 1.0.17;
backstage 1.6.0 -> 2.8.2; kyverno + kyverno-policies 3.4.1 -> 3.8.x
(lockstep); keda 2.17.1 -> 2.20.1; trivy-operator 0.28.1 -> 0.33.2;
gpu-operator 24.3.0 -> 26.3.2; cluster-autoscaler 9.46.6 -> 9.58.0;
gitlab-runner 0.77.2 -> 0.90.0; plus atlantis, tracee, external-dns,
reloader, promtail, perfectscale exporter/psc-autoscaler.

Values migrations required by the upgrades:
- backstage v2 chart: removed image.debug (rejected by the chart schema).

Held at the latest patch of the current major line rather than jumping a
disruptive product/transitional release (same conservative rationale as the
EKS/aws and GKE/google decisions):
- kubecost cost-analyzer -> 2.8.6 (2.9.x is a transitional 'agent upgrade
  prep' release that intentionally refuses to render; no 3.x exists yet).
- sonarqube -> 10.8.1 (the chart's 2025/2026 calendar-versioned line is a
  SonarQube product-major change that also breaks the pinned plugin set and
  adds a required monitoringPasscode secret).

NOTE: helm template confirms each chart renders with its values, but does not
flag value keys silently dropped across major versions. Each app should be
reviewed against its upstream upgrade notes via the ArgoCD diff before sync.
Pin the three images that used :latest so deployments are reproducible:
- oauth2-proxy: quay.io/oauth2-proxy/oauth2-proxy:latest -> v7.15.3
- ARC runner: summerwind/actions-runner:latest -> v2.335.1-ubuntu-24.04
- velero wait Job: registry.hub.docker.com/bitnami/kubectl:latest ->
  rancher/kubectl:v1.33.12. Bitnami's free Docker Hub catalog was
  deprecated and its versioned kubectl tags now 404, so this switches to the
  maintained rancher/kubectl image pinned to the 1.33 cluster line.
- actions/checkout v3 -> v7
- actions/setup-python v4 -> v6
- ncipollo/release-action stays at v1 (already the latest major, v1.21.0)
- workflow input defaults: Python 3.12.2 -> 3.12 (resolve latest patch),
  Poetry 1.8.2 -> 2.4.1 (latest stable)

Add .github/dependabot.yml to keep pip (tools), github-actions, and
terraform providers/modules updated weekly so the dependency set does not
fall behind again.
deps(python): upgrade CLI dependencies to latest stable
deps(terraform): upgrade providers, modules & pinned tool versions
deps(helm): upgrade ArgoCD & core-services chart versions
deps(images): pin floating :latest image tags
deps(ci): bump GitHub Actions & add Dependabot
@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@oferk0, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 minutes and 49 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 09b9f0aa-87ec-457b-993b-949af6811d66

📥 Commits

Reviewing files that changed from the base of the PR and between eaa528a and 63623e7.

⛔ Files ignored due to path filters (1)
  • tools/poetry.lock is excluded by !**/*.lock
📒 Files selected for processing (50)
  • .github/dependabot.yml
  • .github/workflows/pre_release.yml
  • .github/workflows/release.yml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argo-workflows/application.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argocd/label-transformer.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/atlantis/application.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/backstage/application.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/kyverno/kyverno-policies.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/kyverno/kyverno.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/kyverno/policy-reporter.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/tracee/tracee.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/trivy/trivy-operator.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/harbor/harbor.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kube-system/cert-manager/application.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kube-system/external-dns/application.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kube-system/external-secrets-operator/external-secrets-operator.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kube-system/ingress-nginx/application.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kube-system/reloader/application.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kubecost/kubecost.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/loki/loki.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/ml-services/gpu-operator/application.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/monitoring/kube-prometheus-stack.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/monitoringcrd/prometheus-operator-crds.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/oauth2-proxy/oauth2-proxy.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/perfectscale/application.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/promtail/promtail.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/runners/github/actions-runner-controller/application.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/runners/gitlab/gitlab-runner/application.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/cluster-autoscaler/application.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/keda/application.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/sonarqube/sonarqube.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/vault/application.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/velero/core/velero.yaml
  • platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/velero/core/wait.yaml
  • platform/installation-manifests/argocd/kustomization.yaml
  • platform/terraform/core_services/main.tf
  • platform/terraform/modules/cloud_aws/eks.tf
  • platform/terraform/modules/cloud_aws/versions.tf
  • platform/terraform/modules/cloud_aws/vpc.tf
  • platform/terraform/modules/cloud_azure/aks.tf
  • platform/terraform/modules/cloud_azure/key_vault.tf
  • platform/terraform/modules/cloud_azure/main.tf
  • platform/terraform/modules/cloud_azure/network.tf
  • platform/terraform/modules/cloud_gcp/main.tf
  • platform/terraform/modules/vcs_gitlab/repository/main.tf
  • platform/terraform/secrets/main.tf
  • tools/cli/common/const/const.py
  • tools/cli/services/cloud/azure/azure_sdk.py
  • tools/cli/services/k8s/config_builder.py
  • tools/pyproject.toml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant